Attacks/Breaches

11/10/2015
06:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

JP Morgan Breach Only One Piece Of Vast Criminal Enterprise, Indictments Reveal

Three men at the head of 'diversified criminal conglomerate' used hacking to commit and enhance their securities fraud, illegal online gambling, illegal Bitcoin exchange, and illegal payment processing businesses, 23-count indictment alleges.

A 23-count indictment unsealed today shows that the 2014 JP Morgan Chase breach -- which resulted in the theft of 83 million customers' data -- wasn't just the work of talented cyber attackers. The breach was just one of the myriad illegal activities conducted by a "diversified criminal conglomerate" fueled by hacking.

The charges against Israeli citizens Gery Shalon and Ziv Orenstein, arrested in July, and U.S. citizen Joshua Samuel Aaron, who is still at large, include hacking, securities fraud, wire fraud, identity theft, illegal Internet gambling, and conspiring to commit money laundering. In a separate but related indictment unsealed today, Florida resident Anthony Murgio was charged for operating an unlicensed Bitcoin exchange service. The maximum sentences for the charges against Shalon alone, who is considered the "ringleader," add up to over 200 years in prison.

"The charged crimes showcase a brave new world of hacking for profit," Manhattan U.S. Attorney Preet Bharara said in a statement. "It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model."

Cybercrime was used to commit, support, or enhance all of the group's other illegal endeavors.

Between 2012 and 2015, Shalon and Aaron stole personally identifiable information from JP Morgan Chase, and eight other businesses operating within the financial services sector. They then used that stolen data to "artificially manipulate" the price of certain stocks, by marketing those stocks to the customer lists in a "deceptive and misleading manner," according to the Department of Justice release. 

"The alleged conduct also signals the next frontier in securities fraud," said Bharara, "sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise. Fueled by their hacking, the defendants’ criminal schemes allegedly generated hundreds of millions of dollars in illicit proceeds."

The attackers owned and operated unlawful Internet gambling businesses, and used cybercrime to protect those shadowy companies' interests. Shalon broke into the networks of software providers the gambling businesses used, and monitored the emails of those software companies' executives to make sure their work with other gambling businesses didn't compromise Shalon's.

They owned and operated payment processors, IDPay and Todur, for illegal businesses -- taking cuts of the profits from illegal pharmaceutical suppliers, malware distributors, and unlawful online casinos. They used cybercrime to protect that operation as well. Shalon and his co-conspirators hacked into an organization that monitors merchants and payment processors for trading in unlawful goods and services. The criminals then monitored that organization's emails and detection efforts in order to prevent their own payment processors' illicit activity from being detected.

All told, 14 companies were breached.

Idan Tendler, CEO of FortScale and former commander of the 8200, the cyberwarfare division of the Israeli Defense Forces, says, "The shocking size and reach of this cyber breach underscores the sophistication of today’s cyber criminal enterprises and shows what security teams across all industries are up against. Today’s hackers aren’t necessarily looking for a quick payday. Once the initial data theft is completed, there are countless opportunities for cyber criminals to conduct targeted campaigns."

"The theft of data from [JP Morgan Chase] and the breaches at financial news outlets provided the ingredients to execute a very scalable and very profitable cybercrime operation," says Fred Kost, senior vice president at HyTrust. "Stolen information such as that from JPMC and other financial institutions is not only valuable to cybercriminals as the identity of an individual, but they can also use it in many different second order actions to provide context for more elaborate attacks and schemes for financial gain. It was as if they were running diversified lines of business, all well orchestrated and vertically integrated."

Philip Lieberman, president of Lieberman Software, says that part of the trouble lies in whether financial services companies and stock exchanges can change their culture to adapt to new risks.

"Changing a ship designed for commerce into one suitable for both trade and warfare takes time and wisdom," says Lieberman. "The challenge is not the change in technology, but with the behavior of all involved. Those charged with movement of goods tend to obstruct the need to arrive safety by depending on their knowledge and behaviors obtained long before the warfare began."

Shalon, Aaron, and Orenstein evaded authorities as long as they did by filtering their proceeds through 75 shell companies, banks, and brokerages across the world, and by using aliase. Between the three of them, they used over 200 fake identities, and over 30 false passports purporting to be issued by the United States and 16 other countries.

"While we continue to see breaches go undetected for long periods of time, it’s unlikely operations of this magnitude will become commonplace. They are harder to carry out undetected," Kost says. Nevertheless, "We will likely see more of these creative ways of monetizing stolen information in the future as attackers evolve and look for newer ways to profit from hacking."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
danelleau1
50%
50%
danelleau1,
User Rank: Strategist
11/11/2015 | 6:34:12 AM
Cybercrime of the future
Great story. Wow. This reads like a new era crime syndicate Sopranos movie. complete with bank heist, security fraud and money laundering. 
larryloeb
50%
50%
larryloeb,
User Rank: Apprentice
11/10/2015 | 7:59:06 PM
Bitcoin Exchange?
>In a separate but related indictment unsealed today, Florida resident Anthony Murgio was charged for operating an unlicensed Bitcoin exchange service.

This is new to me. Who licenses Bitcoin exchanges? Individual states? The FTC?
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.